FAQ: Not your usual cyber attack – why NUS, NTU are ‘prime targets’

SINGAPORE: The first known instance of sophisticated cyber attacks on universities in Singapore on Friday (May 12) draws attention to institutes of education as a prime target from which to attack Government networks, cybersecurity experts told Channel NewsAsia.

Rather than being the work of casual hackers, both attacks involved what is known as advanced persistent threats (APTs) – and the hackers were possibly after Government information or research, rather than students’ data.

Channel NewsAsia put some key questions about such attacks to cybersecurity firms.

Q: What are APT attacks?

The critical word in advanced persistent threat (APT) is “persistent” – sophisticated threats that get into a network and stay undetected for a long time, said Mr Sanjay Aurora of Darktrace.

Attacks can be facilitated through a compromised USB stick or malware in the system. Perpetrators often acquire legitimate user credentials, allowing them to bypass traditional security tools like firewalls easily.

Once these threat actors are inside the network, it becomes extremely difficult to distinguish their behaviour from that of legitimate network users, said Mr Aurora.

He added that these attackers can then move silently within the organisation’s network for weeks or months, searching for critical information before eventually executing an attack.

Q: How long could the APT have been hidden in the network before being detected?

Reports of the NUS and NTU attacks suggest in both cases that the intrusions were detected during regular system checks, said Mr Nick FitzGerald of ESET.

“This could mean that the attackers were only present for the time between such checks, or perhaps, after taking the attackers months to locate the material they were seeking, it was only when they started exfiltrating large amounts of data from the network that they tripped some alarms?”

Citing 2016 statistics, Mr Elon Ben-Meir of CyberInt said that the average dwell time of APTs can be 190 days.

Darktrace’s Mr Aurora added that it can take up to 230 days – or longer – for an organisation to realise it has been breached and critical systems compromised. “We once started working with a customer, only to find that there was a sophisticated threat inside their network that had been there for eight years.”

Q: How do APTs differ from other targeted attacks?

APT attacks occur over long periods of time, during which the attackers move slowly and quietly to avoid detection, Nick Savvides of Symantec told Channel NewsAsia.

“The main difference is that while common targeted attacks use short-term ‘smash and grab’ methods, APT incursions are designed to establish a beach head from which to launch covert operations over an extended period of time.”

And unlike the fast-money schemes typical of more common targeted attacks, APTs are designed for international espionage and/or sabotage, usually involving covert state actors, Mr Savvides added.

Its objectives may include military, political, or economic intelligence gathering, confidential data or trade secrets, disruption of operations, or even destruction of equipment.

The groups behind APTs are well funded and staffed, and may operate with the support of military or state intelligence.

Q: How are APT attacks evolving?

Attackers are no longer simply stealing data – they are changing it, too, destroying confidence in the integrity of data, through so-called “trust attacks”, said Mr Aurora.

“These attackers are not just using their ability to hack information systems now to make a quick buck, but to cause long-term, reputational damage to individuals or groups, by eroding trust in the data itself.”

Another trend involves attackers using automated technology that is able to enter a network surreptitiously and carry out the mission without human oversight, Mr Aurora noted.

The beginnings of this trend can be seen in ransomware attacks such as those seen in the UKand Spain on Friday, where the malware automatically encrypts large amounts of data within seconds, before demanding a ransom in return for the decryption key.

“We can only expect this trend to get worse. These attacks are too fast-moving for any security team, no matter how large, to keep up,” Mr Aurora said.

Q: Why target educational institutions like NUS and NTU?

This first case of a sophisticated attack on universities in Singapore highlights that cybercriminals do not just target industries such as banks, Mr FitzGerald said, calling education institutions a “prime target”.

“It should not be surprising that tertiary education institutions are also attractive to cybercriminals, given that government and research data are likely to be attractive to highly motivated adversaries, including nation-state actors.

Q: What other sectors are potential targets as a point from which to attack Government networks?

Mr Savvides noted that while nearly any large organisation is susceptible to targeted attacks, APTs are aimed at a much smaller range of targets: Government agencies and facilities, defence contractors, and manufacturers of products that are highly competitive on global markets.

“We see more and more attacks where third-party vendors are being targeted as they work closely with Government agencies and may have access to Government networks,” said Mr Ben-Meir.

Mr Aurora added that any user or device that is connected to a Government network could be used as an in-road – whether that is a supply chain organisation, a Government employee, a subcontractor or any other third party.

Quipped Mr FitzGerald: “(They) should not assume that, just because their work for the government might not be publicly known, the bad guys are not targeting them!”

Q: What should IT professionals do?

IT professionals need to move to a detection-and-response system, said Mr Ben-Meir. “IT professionals need to react to the threat rather than act on the crisis. They need to identify the crown jewels of the organisation and invest more in protecting these crown jewels.”

Mr FitzGerald noted that multi-level cybersecurity measures such as two-factor authentication (2FA), which has been adopted by local agencies for SingPass and local banks, could be explored to strengthen the security infrastructure on the government level.

Q: What should end-users do?

Laymen need to equip themselves with the basics such as anti-virus software and firewalls, Mr Ben-Meir said.

They should also be wary of suspicious emails and not follow the instructions given in such emails, such as opening a corrupt file that may plant malware in their devices.

Mr FitzGerald noted that cybercriminals may even use the news of this attack as the basis for subsequent phishing attacks, in which they send emails asking the recipient to change their password due to the recent attack. “These emails helpfully provide a link that, of course, does not go to a legitimate login or password change page but to one controlled by the bad guys,” he said.